Hi,
Am 28.07.21 um 13:16 schrieb Maya Zbitneva:
> Good day!
>
> Michael, thank you very much for your professional consultation. It was
> real cryptominer in OS Ubuntu!
Outch.
> I succedeed to kill it.
Do you have the user of the running process (ps -xau) ?
> But I have the question about it.
> How to find the vulnerability from which the malware got in?
That is the hard part. You can try
http://www.chkrootkit.org/ (should be
in Ubuntu) but this also can produce false positives. It might also be
not the right tool…
If you have no idea, no log files or anything, IMHO:
----> Install a new machine !! <----
Make a new machine, setup (Apache / Nginx), Tomcat and after basically
running, copy the DSpace files.
Change passwords and hope nothing awful is copied to the new machine.
Keep it closed - only https and ssh, keep the logins local (no Windows
join).
> Because even if I removed the malware, it can come again using the same
> vulnerability it exploited earlier.
This is what makes admins sleep bad.
> Help me please, what security measures need to be taken to prevent the
> virus from entering the operating system again?
I only can give you some simple tips, because I don't know you
organization, and there are standards you should keep on any machine
running on the internet.
Do not expose any service to the internet which you don't need there -
if you are behind a network firewall, only https (port 443) for DSpace
needs to be accessible from outside - no ssh, no network files systems
etc. Try a port scan from outside.
Update your OS regulary, on DSpace especially Java.
Backup - and restore ! Try the restore on a new machine an get a feeling
for that, note down the steps.
If your DSpace is also file-, mail- and print-server, there is something
really wrong - try to split that.
Find a local Linux community to get better help.
But maybe you made everything OK - this still can happen :( .
CU
Michael